$ oc new-project hello-openshift
A route allows you to host your application at a public URL. It can either be secure or unsecured, depending on the network security configuration of your application. An HTTP-based route is an unsecured route that uses the basic HTTP routing protocol and exposes a service on an unsecured application port.
The following procedure describes how to create a simple HTTP-based route to a web application, using the hello-openshift
application as an example.
You installed the OpenShift CLI (oc
).
You are logged in as an administrator.
You have a web application that exposes a port and a TCP endpoint listening for traffic on the port.
Create a project called hello-openshift
by running the following command:
$ oc new-project hello-openshift
Create a pod in the project by running the following command:
$ oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json
Create a service called hello-openshift
by running the following command:
$ oc expose pod/hello-openshift
Create an unsecured route to the hello-openshift
application by running the following command:
$ oc expose svc hello-openshift
If you examine the resulting Route
resource, it should look similar to the following:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: hello-openshift
spec:
host: hello-openshift-hello-openshift.<Ingress_Domain> (1)
port:
targetPort: 8080 (2)
to:
kind: service
name: hello-openshift
1 | <Ingress_Domain> is the default ingress domain name. The ingresses.config/cluster object is created during the installation and cannot be changed. If you want to specify a different domain, you can specify an alternative cluster domain using the appsDomain option. |
2 | targetPort is the target port on pods that is selected by the service that this route points to. |
To display your default ingress domain, run the following command:
|
You can configure the default timeouts for an existing route when you have services in need of a low timeout, which is required for service Level Availability (SLA) purposes, or a high timeout, for cases with a slow back end.
You need a deployed Ingress Controller on a running cluster.
Using the oc annotate
command, add the timeout to the route:
$ oc annotate route <route_name> \
--overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit> (1)
1 | Supported time units are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d). |
The following example sets a timeout of two seconds on a route named myroute
:
$ oc annotate route myroute --overwrite haproxy.router.openshift.io/timeout=2s
HTTP Strict Transport Security (HSTS) policy is a security enhancement, which signals to the browser client that only HTTPS traffic is allowed on the route host. HSTS also optimizes web traffic by signaling HTTPS transport is required, without using HTTP redirects. HSTS is useful for speeding up interactions with websites.
When HSTS policy is enforced, HSTS adds a Strict Transport Security header to HTTP and HTTPS responses from the site. You can use the insecureEdgeTerminationPolicy
value in a route to redirect HTTP to HTTPS. When HSTS is enforced, the client changes all requests from the HTTP URL to HTTPS before the request is sent, eliminating the need for a redirect.
Cluster administrators can configure HSTS to do the following:
Enable HSTS per-route
Disable HSTS per-route
Enforce HSTS per-domain, for a set of domains, or use namespace labels in combination with domains
HSTS works only with secure routes, either edge-terminated or re-encrypt. The configuration is ineffective on HTTP or passthrough routes. |
HTTP strict transport security (HSTS) is implemented in the HAProxy template and applied to edge and re-encrypt routes that have the haproxy.router.openshift.io/hsts_header
annotation.
You are logged in to the cluster with a user with administrator privileges for the project.
You installed the oc
CLI.
To enable HSTS on a route, add the haproxy.router.openshift.io/hsts_header
value to the edge-terminated or re-encrypt route. You can use the oc annotate
tool to do this by running the following command:
$ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;\ (1)
includeSubDomains;preload"
1 | In this example, the maximum age is set to 31536000 ms, which is approximately eight and a half hours. |
In this example, the equal sign ( |
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload (1) (2) (3)
...
spec:
host: def.abc.com
tls:
termination: "reencrypt"
...
wildcardPolicy: "Subdomain"
1 | Required. max-age measures the length of time, in seconds, that the HSTS policy is in effect. If set to 0 , it negates the policy. |
2 | Optional. When included, includeSubDomains tells the client
that all subdomains of the host must have the same HSTS policy as the host. |
3 | Optional. When max-age is greater than 0, you can add preload in haproxy.router.openshift.io/hsts_header to allow external services to include this site in their HSTS preload lists. For example, sites such as Google can construct a list of sites that have preload set. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, even before they have interacted with the site. Without preload set, browsers must have interacted with the site over HTTPS, at least once, to get the header. |
To disable HTTP strict transport security (HSTS) per-route, you can set the max-age
value in the route annotation to 0
.
You are logged in to the cluster with a user with administrator privileges for the project.
You installed the oc
CLI.
To disable HSTS, set the max-age
value in the route annotation to 0
, by entering the following command:
$ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=0"
You can alternatively apply the following YAML to create the config map: Example of disabling HSTS per-route
|
To disable HSTS for every route in a namespace, enter the followinf command:
$ oc annotate <route> --all -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=0"
To query the annotation for all routes, enter the following command:
$ oc get route --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'
Name: routename HSTS: max-age=0
To enforce HTTP Strict Transport Security (HSTS) per-domain for secure routes, add a requiredHSTSPolicies
record to the Ingress spec to capture the configuration of the HSTS policy.
If you configure a requiredHSTSPolicy
to enforce HSTS, then any newly created route must be configured with a compliant HSTS policy annotation.
To handle upgraded clusters with non-compliant HSTS routes, you can update the manifests at the source and apply the updates. |
You cannot use |
HSTS cannot be applied to insecure, or non-TLS routes, even if HSTS is requested for all routes globally. |
You are logged in to the cluster with a user with administrator privileges for the project.
You installed the oc
CLI.
Edit the Ingress config file:
$ oc edit ingresses.config.openshift.io/cluster
apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: 'hello-openshift-default.apps.username.devcluster.openshift.com'
requiredHSTSPolicies: (1)
- domainPatterns: (2)
- '*hello-openshift-default.apps.username.devcluster.openshift.com'
- '*hello-openshift-default2.apps.username.devcluster.openshift.com'
namespaceSelector: (3)
matchLabels:
myPolicy: strict
maxAge: (4)
smallestMaxAge: 1
largestMaxAge: 31536000
preloadPolicy: RequirePreload (5)
includeSubDomainsPolicy: RequireIncludeSubDomains (6)
- domainPatterns: (2)
- 'abc.example.com'
- '*xyz.example.com'
namespaceSelector:
matchLabels: {}
maxAge: {}
preloadPolicy: NoOpinion
includeSubDomainsPolicy: RequireNoIncludeSubDomains
1 | Required. requiredHSTSPolicies are validated in order, and the first matching domainPatterns applies. |
2 | Required. You must specify at least one domainPatterns hostname. Any number of domains can be listed. You can include multiple sections of enforcing options for different domainPatterns . |
3 | Optional. If you include namespaceSelector , it must match the labels of the project where the routes reside, to enforce the set HSTS policy on the routes. Routes that only match the namespaceSelector and not the domainPatterns are not validated. |
4 | Required. max-age measures the length of time, in seconds, that the HSTS policy is in effect. This policy setting allows for a smallest and largest max-age to be enforced.
|
5 | Optional. Including preload in haproxy.router.openshift.io/hsts_header allows external services to include this site in their HSTS preload lists. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, before they have interacted with the site. Without preload set, browsers need to interact at least once with the site to get the header. preload can be set with one of the following:
|
6 | Optional. includeSubDomainsPolicy can be set with one of the following:
|
You can apply HSTS to all routes in the cluster or in a particular namespace by entering the oc annotate command
.
To apply HSTS to all routes in the cluster, enter the oc annotate command
. For example:
$ oc annotate route --all --all-namespaces --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000"
To apply HSTS to all routes in a particular namespace, enter the oc annotate command
. For example:
$ oc annotate route --all -n my-namespace --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000"
You can review the HSTS policy you configured. For example:
To review the maxAge
set for required HSTS policies, enter the following command:
$ oc get clusteroperator/ingress -n openshift-ingress-operator -o jsonpath='{range .spec.requiredHSTSPolicies[*]}{.spec.requiredHSTSPolicies.maxAgePolicy.largestMaxAge}{"\n"}{end}'
To review the HSTS annotations on all routes, enter the following command:
$ oc get route --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'
Name: <_routename_> HSTS: max-age=31536000;preload;includeSubDomains
Sometimes applications deployed through OpenShift Container Platform can cause network throughput issues such as unusually high latency between specific services.
Use the following methods to analyze performance issues if pod logs do not reveal any cause of the problem:
Use a packet analyzer, such as ping or tcpdump to analyze traffic between a pod and its node.
For example, run the tcpdump tool on each pod while reproducing the behavior that led to the issue. Review the captures on both sides to compare send and receive timestamps to analyze the latency of traffic to and from a pod. Latency can occur in OpenShift Container Platform if a node interface is overloaded with traffic from other pods, storage devices, or the data plane.
$ tcpdump -s 0 -i any -w /tmp/dump.pcap host <podip 1> && host <podip 2> (1)
1 | podip is the IP address for the pod. Run the oc get pod <pod_name> -o wide command to get
the IP address of a pod. |
tcpdump generates a file at /tmp/dump.pcap
containing all traffic between
these two pods. Ideally, run the analyzer shortly
before the issue is reproduced and stop the analyzer shortly after the issue
is finished reproducing to minimize the size of the file.
You can also run a packet analyzer between the nodes (eliminating the SDN from
the equation) with:
$ tcpdump -s 0 -i any -w /tmp/dump.pcap port 4789
Use a bandwidth measuring tool, such as iperf, to measure streaming throughput and UDP throughput. Run the tool from the pods first, then from the nodes, to locate any bottlenecks.
For information on installing and using iperf, see this Red Hat Solution.
OpenShift Container Platform provides sticky sessions, which enables stateful application traffic by ensuring all traffic hits the same endpoint. However, if the endpoint pod terminates, whether through restart, scaling, or a change in configuration, this statefulness can disappear.
OpenShift Container Platform can use cookies to configure session persistence. The Ingress controller selects an endpoint to handle any user requests, and creates a cookie for the session. The cookie is passed back in the response to the request and the user sends the cookie back with the next request in the session. The cookie tells the Ingress Controller which endpoint is handling the session, ensuring that client requests use the cookie so that they are routed to the same pod.
Cookies cannot be set on passthrough routes, because the HTTP traffic cannot be seen. Instead, a number is calculated based on the source IP address, which determines the backend. If backends change, the traffic can be directed to the wrong server, making it less sticky. If you are using a load balancer, which hides source IP, the same number is set for all connections and traffic is sent to the same pod. |
You can set a cookie name to overwrite the default, auto-generated one for the route. This allows the application receiving route traffic to know the cookie name. By deleting the cookie it can force the next request to re-choose an endpoint. So, if a server was overloaded it tries to remove the requests from the client and redistribute them.
Annotate the route with the specified cookie name:
$ oc annotate route <route_name> router.openshift.io/cookie_name="<cookie_name>"
where:
<route_name>
Specifies the name of the route.
<cookie_name>
Specifies the name for the cookie.
For example, to annotate the route my_route
with the cookie name my_cookie
:
$ oc annotate route my_route router.openshift.io/cookie_name="my_cookie"
Capture the route hostname in a variable:
$ ROUTE_NAME=$(oc get route <route_name> -o jsonpath='{.spec.host}')
where:
<route_name>
Specifies the name of the route.
Save the cookie, and then access the route:
$ curl $ROUTE_NAME -k -c /tmp/cookie_jar
Use the cookie saved by the previous command when connecting to the route:
$ curl $ROUTE_NAME -k -b /tmp/cookie_jar
Path-based routes specify a path component that can be compared against a URL, which requires that the traffic for the route be HTTP based. Thus, multiple routes can be served using the same hostname, each with a different path. Routers should match routes based on the most specific path to the least. However, this depends on the router implementation.
The following table shows example routes and their accessibility:
Route | When Compared to | Accessible |
---|---|---|
www.example.com/test |
www.example.com/test |
Yes |
www.example.com |
No |
|
www.example.com/test and www.example.com |
www.example.com/test |
Yes |
www.example.com |
Yes |
|
www.example.com |
www.example.com/text |
Yes (Matched by the host, not the route) |
www.example.com |
Yes |
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: route-unsecured
spec:
host: www.example.com
path: "/test" (1)
to:
kind: service
name: service-name
1 | The path is the only added attribute for a path-based route. |
Path-based routing is not available when using passthrough TLS, as the router does not terminate TLS in that case and cannot read the contents of the request. |
The Ingress Controller can set the default options for all the routes it exposes. An individual route can override some of these defaults by providing specific configurations in its annotations. Red Hat does not support adding a route annotation to an operator-managed route.
To create a whitelist with multiple source IPs or subnets, use a space-delimited list. Any other delimiter type causes the list to be ignored without a warning or error message. |
Variable | Description | Environment variable used as default |
---|---|---|
|
Sets the load-balancing algorithm. Available options are |
|
|
Disables the use of cookies to track related connections. If set to |
|
|
Specifies an optional cookie to use for this route. The name must consist of any combination of upper and lower case letters, digits, "_", and "-". The default is the hashed internal key name for the route. |
|
|
Sets the maximum number of connections that are allowed to a backing pod from a router. |
|
|
Setting |
|
|
Limits the number of concurrent TCP connections made through the same source IP address. It accepts a numeric value. |
|
|
Limits the rate at which a client with the same source IP address can make HTTP requests. It accepts a numeric value. |
|
|
Limits the rate at which a client with the same source IP address can make TCP connections. It accepts a numeric value. |
|
|
Sets a server-side timeout for the route. (TimeUnits) |
|
|
This timeout applies to a tunnel connection, for example, WebSocket over cleartext, edge, reencrypt, or passthrough routes. With cleartext, edge, or reencrypt route types, this annotation is applied as a timeout tunnel with the existing timeout value. For the passthrough route types, the annotation takes precedence over any existing timeout value set. |
|
|
You can set either an IngressController or the ingress config . This annotation redeploys the router and configures the HA proxy to emit the haproxy |
|
|
Sets the interval for the back-end health checks. (TimeUnits) |
|
|
Sets a whitelist for the route. The whitelist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the whitelist are dropped. The maximum number of IP addresses and CIDR ranges allowed in a whitelist is 61. |
|
|
Sets a Strict-Transport-Security header for the edge terminated or re-encrypt route. |
|
|
Sets the |
|
|
Sets the rewrite path of the request on the backend. |
|
|
Sets a value to restrict cookies. The values are:
This value is applicable to re-encrypt and edge routes only. For more information, see the SameSite cookies documentation. |
|
|
Sets the policy for handling the
|
|
Environment variables cannot be edited. |
TimeUnits
are represented by a number followed by the unit: us
*(microseconds), ms
(milliseconds, default), s
(seconds), m
(minutes), h
*(hours), d
(days).
The regular expression is: [1-9][0-9]*(us
\|ms
\|s
\|m
\|h
\|d
).
Variable | Default | Description |
---|---|---|
|
|
Length of time between subsequent liveness checks on back ends. |
|
|
Controls the TCP FIN timeout period for the client connecting to the route. If the FIN sent to close the connection does not answer within the given time, HAProxy closes the connection. This is harmless if set to a low value and uses fewer resources on the router. |
|
|
Length of time that a client has to acknowledge or send data. |
|
|
The maximum connection time. |
|
|
Controls the TCP FIN timeout from the router to the pod backing the route. |
|
|
Length of time that a server has to acknowledge or send data. |
|
|
Length of time for TCP or WebSocket connections to remain open. This timeout period resets whenever HAProxy reloads. |
|
|
Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can cause problems with browsers and applications not expecting a small Some effective timeout values can be the sum of certain variables, rather than the specific expected timeout. For example, |
|
|
Length of time the transmission of an HTTP request can take. |
|
|
Allows the minimum frequency for the router to reload and accept new changes. |
|
|
Timeout for the gathering of HAProxy metrics. |
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 5500ms (1)
...
1 | Specifies the new timeout with HAProxy supported units (us , ms , s , m , h , d ). If the unit is not provided, ms is the default. |
Setting a server-side timeout value for passthrough routes too low can cause WebSocket connections to timeout frequently on that route. |
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 180.5.61.153 192.168.1.0/24 10.0.0.0/8
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/rewrite-target: / (1)
...
1 | Sets / as rewrite path of the request on the backend. |
Setting the haproxy.router.openshift.io/rewrite-target
annotation on a route specifies that the Ingress Controller should rewrite paths in HTTP requests using this route before forwarding the requests to the backend application.
The part of the request path that matches the path specified in spec.path
is replaced with the rewrite target specified in the annotation.
The following table provides examples of the path rewriting behavior for various combinations of spec.path
, request path, and rewrite target.
Route.spec.path | Request path | Rewrite target | Forwarded request path |
---|---|---|---|
/foo |
/foo |
/ |
/ |
/foo |
/foo/ |
/ |
/ |
/foo |
/foo/bar |
/ |
/bar |
/foo |
/foo/bar/ |
/ |
/bar/ |
/foo |
/foo |
/bar |
/bar |
/foo |
/foo/ |
/bar |
/bar/ |
/foo |
/foo/bar |
/baz |
/baz/bar |
/foo |
/foo/bar/ |
/baz |
/baz/bar/ |
/foo/ |
/foo |
/ |
N/A (request path does not match route path) |
/foo/ |
/foo/ |
/ |
/ |
/foo/ |
/foo/bar |
/ |
/bar |
Administrators and application developers can run applications in multiple namespaces with the same domain name. This is for organizations where multiple teams develop microservices that are exposed on the same hostname.
Allowing claims across namespaces should only be enabled for clusters with trust between namespaces, otherwise a malicious user could take over a hostname. For this reason, the default admission policy disallows hostname claims across namespaces. |
Cluster administrator privileges.
Edit the .spec.routeAdmission
field of the ingresscontroller
resource variable using the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=merge
spec:
routeAdmission:
namespaceOwnership: InterNamespaceAllowed
...
You can alternatively apply the following YAML to configure the route admission policy:
|
Some ecosystem components have an integration with Ingress resources but not with route resources. To cover this case, OpenShift Container Platform automatically creates managed route objects when an Ingress object is created. These route objects are deleted when the corresponding Ingress objects are deleted.
Define an Ingress object in the OpenShift Container Platform console or by entering the oc create
command:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: frontend
annotations:
route.openshift.io/termination: "reencrypt" (1)
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
service:
name: frontend
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- www.example.com
secretName: example-com-tls-certificate
1 | The route.openshift.io/termination annotation can be used to configure the spec.tls.termination field of the Route
as Ingress has no field for this. The accepted values are edge , passthrough and reencrypt . All
other values are silently ignored. When the annotation value is unset, edge is the default route. The TLS certificate details must be defined in the template file to implement the default edge route.
|
$ oc apply -f ingress.yaml
List your routes:
$ oc get routes
The result includes an autogenerated route whose name starts with frontend-
:
NAME HOST/PORT PATH serviceS PORT TERMINATION WILDCARD
frontend-gnztq www.example.com frontend 443 reencrypt/Redirect None
If you inspect this route, it looks this:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: frontend-gnztq
ownerReferences:
- apiVersion: networking.k8s.io/v1
controller: true
kind: Ingress
name: frontend
uid: 4e6c59cc-704d-4f44-b390-617d879033b6
spec:
host: www.example.com
path: /
port:
targetPort: https
tls:
certificate: |
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
insecureEdgeTerminationPolicy: Redirect
key: |
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
termination: reencrypt
to:
kind: service
name: frontend
If you create an Ingress object without specifying any TLS configuration, OpenShift Container Platform generates an insecure route. To create an Ingress object that generates a secure, edge-terminated route using the default ingress certificate, you can specify an empty TLS configuration as follows.
You have a service that you want to expose.
You have access to the OpenShift CLI (oc
).
Create a YAML file for the Ingress object. In this example, the file is called example-ingress.yaml
:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: frontend
...
spec:
rules:
...
tls:
- {} (1)
1 | Use this exact syntax to specify TLS without specifying a custom certificate. |
Create the Ingress object by running the following command:
$ oc create -f example-ingress.yaml
Verify that OpenShift Container Platform has created the expected route for the Ingress object by running the following command:
$ oc get routes -o yaml
apiVersion: v1
items:
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: frontend-j9sdd (1)
...
spec:
...
tls: (2)
insecureEdgeTerminationPolicy: Redirect
termination: edge (3)
...
1 | The name of the route includes the name of the Ingress object followed by a random suffix. |
2 | In order to use the default certificate, the route should not specify spec.certificate . |
3 | The route should specify the edge termination policy. |
If your OpenShift Container Platform cluster is configured for IPv4 and IPv6 dual-stack networking, your cluster is externally reachable by OpenShift Container Platform routes.
The Ingress Controller automatically serves services that have both IPv4 and IPv6 endpoints, but you can configure the Ingress Controller for single-stack or dual-stack services.
You deployed an OpenShift Container Platform cluster on bare metal.
You installed the OpenShift CLI (oc
).
To have the Ingress Controller serve traffic over IPv4/IPv6 to a workload, you can create a service YAML file or modify an existing service YAML file by setting the ipFamilies
and ipFamilyPolicy
fields. For example:
apiVersion: v1
kind: service
metadata:
creationTimestamp: yyyy-mm-ddT00:00:00Z
labels:
name: <service_name>
manager: kubectl-create
operation: Update
time: yyyy-mm-ddT00:00:00Z
name: <service_name>
namespace: <namespace_name>
resourceVersion: "<resource_version_number>"
selfLink: "/api/v1/namespaces/<namespace_name>/services/<service_name>"
uid: <uid_number>
spec:
clusterIP: 172.30.0.0/16
clusterIPs: (1)
- 172.30.0.0/16
- <second_IP_address>
ipFamilies: (2)
- IPv4
- IPv6
ipFamilyPolicy: RequireDualStack (3)
ports:
- port: 8080
protocol: TCP
targetport: 8080
selector:
name: <namespace_name>
sessionAffinity: None
type: ClusterIP
status:
loadbalancer: {}
1 | In a dual-stack instance, there are two different clusterIPs provided. |
2 | For a single-stack instance, enter IPv4 or IPv6 . For a dual-stack instance, enter both IPv4 and IPv6 . |
3 | For a single-stack instance, enter SingleStack . For a dual-stack instance, enter RequireDualStack . |
These resources generate corresponding endpoints
. The Ingress Controller now watches endpointslices
.
To view endpoints
, enter the following command:
$ oc get endpoints
To view endpointslices
, enter the following command:
$ oc get endpointslices